We recently received some inquiries about how long we will support 1.x and 2.x with security fixes.

1.x will be supported for another 12 months up until August 2024 2.x will be supported for another 24 months up until August 2025

We also released https://github.com/NodeBB/NodeBB/releases/tag/v2.8.16 and https://github.com/NodeBB/NodeBB/releases/tag/v1.19.12 containing some of the fixes from the 3.x line. If you are not able to upgrade to 3.x we encourage you to upgrade to these releases.

A bug in our socket.io authentication code can result in Cross-Site WebSocket Hijacking (CSWSH)

Affected versions <2.8.13 & <3.1.3

We have resolved this in the latest version of NodeBB(2.8.13 & 3.1.3), and the fix has already been rolled out as a patch on all of our hosted customers.

The fix is included in the latest 2.8.13 & 3.1.3 releases
https://github.com/NodeBB/NodeBB/releases/tag/v2.8.13
https://github.com/NodeBB/NodeBB/releases/tag/v3.1.3

Yesterday, I wrote a teaser about technical debt in NodeBB:

In our specific case, there are other factors that also cause technical debt to incur outside of trying to "move fast and break things". Technologies change, design patterns shift, user expectations are adjusted, or scope is expanded after-the-fact. All of these could cause even a well-designed system to incur some form of technical debt simply due to the fact that you don't know how a given feature will evolve over time.

Our experience with technical debt is similar to others' in many ways, although I feel lucky in that we're able to approach it a lot more differently than others.

Specifically, many definitions speak of technical debt as something incurred in the pursuit of faster results. A trade-off that makes sense at the time due to time constraints.

In our case, technical debt builds most often because we have a single vision for what a feature could be, but do not have the additional context to realize just how that feature could be used in the future.

A contrived example — user groups

A good example of technical debt is the user groups system. When initially conceived, a user group was akin to a Facebook group. A way for users to gather together under a common banner. We later expanded this with the formation of the group badge, which is still in NodeBB today.

What we quickly came to realize was that there were tons of benefits that could be realized with a common user grouping system. Gamification could be tied to user groups, tagging groups of users made sense, and most importantly, privileges could be tied to user groups.

Whenever we ended up in a situation where user groupings made sense, we made use of the pre-existing user groups system. It ended up simplifying a lot of things because we had that groups system that we knew would work predictably. It meant that separate, contained systems need not be re-invented every time you needed to segregate users apart.

The debt? User groups as per the initial design no numeric identifiers. A user has a uid, a topic has a tid, a category has a cid, a post has a pid, you get the idea. So when it came time to create groups, I gave it some thought and decided that group IDs were unnecessary, as the primary identifier would be the group name itself. After all, why would a forum want two groups named the same thing? Madness!

In hindsight, of course, a group ID system would make a lot more sense. It'd make even more sense given that the Write API works almost exclusively on those IDs (groups are the one exception).

We're lucky in that while the debt exists, its impact on day-to-day development is fairly minimal. Other examples of debt are more impactful, but I can't easily think of any because we've addressed a lot of them already!

A hidden benefit of O/SS

A neat little side-benefit of the fact that NodeBB is open-source is that we can choose our priorities more freely as developers. While NodeBB Inc. itself pursues paid contract work and paid support, we often do have time in between paid work to spend time on the core product itself. While the draw is always there to develop new and exciting features, we have fostered an internal developer culture to address technical debt over time, as we consider any ease of maintenance burden is a win that is compounded over time. Likewise, any impactful technical debt often hinders development, and continuing to hack away around technical debt just makes it harder to resolve altogether.

The other part of it is that our source code is open. If we are lazy and take shortcuts, someone will eventually call us out on it. 😓

We will be dropping support for nodejs 14.x in nodebb 3.x.

Nodejs 14 will be out of maintenance in april 2023 and some of our dependencies no longer support it.

You can see nodejs release schedule here https://github.com/nodejs/release#release-schedule

I wanted to provide an update to my robot-written post from the other day regarding NodeBB and the Docker Hub.

On the 14th of March, we received an email from Docker which laid out in plain terms that we were on a plan that was to-be-sunset, and that all of our data was to be deleted.

If you don’t upgrade to a paid subscription, Docker will retain your organization data for 30 days, after which it will be subject to deletion. During that time, you will maintain access to any images in your public repositories, though rate limitations will apply. At any point during the 30-day period, you can restore access to your organization account if you upgrade to a paid subscription. Visit our FAQ for more information.

Looking into this, it does appear that the NodeBB organization is on the "Docker Free Team" plan. We've been using the Docker Hub as a means to distribute our images as it seems to be the de facto gathering point for people using Docker. There's an implicitly guarantee of quality since the NodeBB image is published by NodeBB, the organization.

So, it seems like all of our historical images are getting deleted. Bummer!

N.B. A developer relations representative from Docker posted later on Hacker News that this didn't mean the "images" would be deleted — but only "organization data" — since that wasn't explicitly specified in the blurb above. Did you catch that in the italicized blurb above? I sure didn't. Do you believe it? I sure don't.

Is this fair?

That's a rather nuanced question with many facets. I will simply point out that the Docker organization has provided their registry for free for anyone who wanted, and it was (and still is) their perogative to do so. It also means that should they withdraw that generosity, that's also within their perogative, despite how it affects the open-source community at-large.

There's no onus on Docker to provide their services for free, and it is difficult for companies to find a pathway toward profitability, especially when costs escalate without a corresponding match in revenue.

Isn't Docker supported by NodeBB?

Not officially, no. NodeBB's stance on Docker has been passive. I like to maintain that support for the Docker image (and the Dockerfile found in our repo) is on a community-supported basis only.

The reason this is is because the main developers of NodeBB (@baris and myself) don't use Docker. It would be unfair to you, the end user, to have us try to support Docker, because we would be pretty abysmal at it. We've chosen to dedicate our time and resources elsewhere, and it does mean that our Docker implementation is minimal, perhaps lackluster.

The second part of this is that I personally (and I very specifically do not use the "company we" here, as this is my personal opinion) am not sold on containerization. I certainly understand the convenience benefits, and the security benefits, but I consider this an abstraction that actively harms low-level understanding of how software interacts with an operating system. For the same reason I eschew front-end frameworks from a career perspective, I am hesitant on going all-in on Docker or other related technologies for similar reasons. I will not go in-depth about this for now, but reserve the right to blather on about it at a later date 😄

I also realize that Docker is a very popular tool. The fact that it has become a household term for so many developers is a rather strong signal that containerization is The Real Deal. It is very possible that there may be a fundamental shift in the operations space away from pure ops and towards DevOps in the future that will necessitate action on our part. However, I don't think we are there right now, and I feel that this move from Docker may have set this line of thinking back for some time to come.

Isn't NodeBB open-source? Can't you apply for an open-source account?

Yes, and no.

NodeBB is an open-source product. Our code is hosted on GitHub (thanks Microsoft!), and licensed under the GPL v3 license.

At the same time, we have chosen to make this our livelihood. @baris and I have managed (with @psychobunny, for many years) to build a forum platform that can sustain our families, and allow us to spend at least part of our time on the open-source aspect of NodeBB. We offer professional consultation, theme design, custom plugins (both private and public), and a SaaS platform where you can have us host and maintain your own NodeBB, for a fee.

Docker considers this a violation of their open-source qualification criteria:

Not have a pathway to commercialization. Your organization must not seek to make a profit through services or by charging for higher tiers. Accepting donations to sustain your efforts is permissible.

They have chosen to support the most vulnerable open-source developers, the ones who contribute and maintain open-source projects just for the benefit to the world, and that's commendable. We do not fit that narrow scope, and that's fine too.

What happens now?

Docker wants us to pay to use the Docker Hub, and we have decided not to for the aforementioned reasons above.

Community members have already shared their thoughts with us, and are even helping us transition away from Docker Hub. We really appreciate them! We have no vested interest in Docker, and with regards to containerization of NodeBB, we will go where the prevailing winds of public opinion take us. Whether that be the GitHub Container Registry, or somewhere else.

There are users whose NodeBB installs are maintained via the images on Docker Hub. We currently don't have guidance for those users, but we will in the coming days/weeks. If you are one of those users, what's important to note now is that you can no longer rely on those images being around in perpetuity.

This is an issue that — as of writing — is currently still in flux. Public opinion is heated and so are the responses from Docker.

References https://blog.alexellis.io/docker-is-deleting-open-source-images/ (Hacker News Discussion) https://www.docker.com/blog/we-apologize-we-did-a-terrible-job-announcing-the-end-of-docker-free-teams/ (Hacker News Discussion)

A bug in our message parsing code can result in remote code execution.

Affected versions >=2.5.0 <2.8.7

We have resolved this in the latest version of NodeBB(2.8.7), and the fix has already been rolled out as a patch on all of our hosted customers.

The fix is included in the latest 2.8.7 release https://github.com/NodeBB/NodeBB/releases/tag/v2.8.7.

If you are not able to upgrade to the latest release, you can also cherry-pick or apply this commit manually https://github.com/NodeBB/NodeBB/commit/ec58700f6dff8e5b4af1544f6205ec362b593092

The updates continue unabated here, as we work on updating the Harmony theme, page by page!

This past couple weeks, you might've noticed that the /users page got a refresh:

Screenshot 2023-02-10 at 15-24-08 Community.png

Almost all of the elements have remained unchanged. There is no new information here, but it's absolutely shocking to see how much more balanced the page is compared to Persona.

We also updated the flag list and details pages, to give those tireless content moderators a bit of a boost as well. You might notice that the list of flag filters in the sidebar has been updated to match the UI controls found in the /search page as well.

Screenshot 2023-02-10 at 15-21-31 NodeBB.png

Screenshot 2023-02-10 at 15-21-26 NodeBB.png

Here is how it used to look on Persona:

Screenshot 2023-02-10 at 15-19-18 NodeBB.png

Screenshot 2023-02-10 at 15-19-24 NodeBB.png

You might have noticed the search bar integration in the Harmony theme. Similar to Persona, the search bar is omni-present, although it is in a sidebar configuration unlike Persona's top bar (there is no top bar in Harmony as per design spec) 👇

2dfd978a-3c53-4ef1-a8ae-525f10adcd59-image.png

@vladstudio and @baris recently turned their attention to the search page as another potential improvement. The main complaint was that it was difficult to use effectively, as we had a large form hidden via an expanding drawer. The ability to filter through search results was functionally complete, but the user experience was lacking.

0c3c8c86-1cde-45ca-8e83-3c10495f86a0-image.png

Per @vladstudio:

The main interface issue I wanted to fix in Search page is that:

the advanced controls are hidden by default; when opened, they jump at me all at once and occupy the entire screen.

I wanted to make the following changes:

make all controls visible by default; make them more “gradual”, so that each individual filter takes as little space as possible.

My assumptions were that:

majority of users will glance through the controls and discover them, but not use; those who do use advanced controls, will not use all of them, only a couple.

So I tried to optimize for these assumptions.

Harmony was updated with a completely re-designed search results page, that puts the content front-and-center while ensuring that you can see each filter applied, at-a-glance.

6982aef1-2a33-4547-876d-dc8ef40732b7-image.png

While the content creation and consumption aspects of forums are our primary aims with NodeBB (and the Harmony theme as well), archival is an oft-overlooked benefit as well.

The ability to retain and later find relevant content is paramount to the continued existence of forum-based communities, and it is one that is minimized or outright hidden from the end user on social media.

Do a web search on any topic under the sun, and more often than not, you'll find a forum topic with a detailed discussion about it — not a Facebook post, not a Twitter thread, not an Instagram reel.

Social media is ephemeral, forums are not. Let's keep it that way 😉

Tonight I come to you all hat-in-hand as I reveal a blunder I made over a year ago...

See, on 16 July of 2021, I was refactoring the Flags API, and adding new routes to the Write API for flags administration. While updating the API spec, I was impatient and wanted the tests to finish quicker, so I commented out a couple hundred tests so they'd run faster:

da13101f-69ce-4884-ada7-dc9ca8a1c632-image.png

I just also happened to forget to re-enable them 😱

What does this mean?

The test/api.js file dynamically generates tests to ensure that:

The Read and Write APIs are syntactically correct as per the OpenAPI spec The routes defined in our spec files match the actual routes that NodeBB serves Each route responds correctly and that their response body matches what is expected

We needed these tests because the OpenAPI spec is manually curated, and without them the spec would be out-of-sync with how NodeBB actually behaves.

So the spec is out-of-sync?

And how! I spent the past few days bringing the spec back up to date, and the PR was just merged today into bootstrap5, so as of v3, the Read API documentation will be in sync again. The Write API documentation remained in sync as those tests were enabled all along.

Conclusion

If over the latter half of 2021 and 2022, this API synchronization bit you, I apologize! The changes to the APIs were mostly minor — a couple of properties were added to different routes, although there were some properties removed or renamed.

Hi there!

Wondering what a proper object would look like for updating a users notification settings with a PUT request. The only example from the docs doesn't drill very deep (showfullname: "1") and I'm trying to understand what I should send to update a users notification preferences. The response is a string and in the network activity I can see that is just "notification" -- but trying to update settings.notificationsettings[i].emailnotification to true or false or whatever the relevant binary-type values are. Am I in the right ballpark?

Thanks!

Hello all,

We are notifying you today about a security vulnerability that was present in older versions of NodeBB. We were notified of these vulnerabilities on 25 May 2022, and have patched and released fixed versions of NodeBB, v2.0.1 and v1.19.8, three days later, on 28 May.

The specifics of this vulnerability are available upon request, but they are considered critical and affect the security of any site running an affected version of NodeBB. Admins are urged to upgrade to these patched versions as soon as possible.

Alternatively, the following changesets can be cherry-picked into your installation of NodeBB in lieu of a full upgrade:

v2.x https://github.com/NodeBB/NodeBB/commit/e802fab87f94a13f397f04cfe6068f2f7ddf7888 v1.19.x https://github.com/NodeBB/NodeBB/commit/81e3c1ba488d03371a5ce8d0ebb5c5803026e0f9

As always, the NodeBB team is available at your disposal to answer any questions or provide assistance in implementing these changesets.

For more information on the security vulnerability, please visit the GitHub Security Advisory page for this disclosure

Re: Creating multiple Node BB Admins but with limited access to ACP

@PitaJ , how can we create multiple admins? Can we assign a user as admin in Dashboard, please let me know.

every under section, i want to store every category in a seperate <ul/> list
This is what i currently have, and there are 2 problems:

all content disappears from the categories, and a bunch more appear for some reason (no clue why this is happening: https://i.imgur.com/pNIGH2v.png)

not sure how to repeat this loop until section category is reached (forgive my poor logical thinking :D)

categories.tpl: (nodebb-theme-oxide)
https://i.imgur.com/Hqyu3zm.png

https://i.imgur.com/MLpqvY1.png

https://i.imgur.com/Nw6DHyk.png

We have released NodeBB v1.18.5. This release contains important security fixes.

Upgrading is strongly advised.

Please check our GitHub for details.

A special thank you goes out to SonarSource for their contributions to this release and their detailed findings! To read more on this, please check out their blog post.

Hi folks,

I want to validate ( need to make email confirmed property true) user under filter:register.shouldQueue filter. Is any way to do this ?

Feedback appreciated
Thanks

Hi Community Folks,

I have a scenario in which I have to pass some custom data based on user's properties to welcome email template in nodebb. How can I achieve this ?

Feedback appreciated
Thanks

Hi folks,

I am creating a custom plugin in nodebb and I want to fetch a list of all authentic and confirmed users over there.

Feedback appreciated
Thanks

Hi!

We have many NodeBB plugins that are no longer maintained, but people still want to use them.

Can we fork them to NodeBB Community (or other) namespace on GitHub and publish under @nodebb-community (or other) namespace on npm?
To allow the installation of those plugins from ACP - we can increase the range of search to this namespace too.

What do you think about this idea? 👀

Hi,
Is there a way to get categories by list of category ids with read or write API or I have to make N number of calls to get the categories that I want or there is another way to achieve that?

I think it would be cool to add category description to the Get Recent Topics API. Wondering if I can get that in a backlog somewhere.